This is the
talk page for discussing improvements to the
HTTP Public Key Pinning article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||
|
The chrome devs want to deprecate and remove public key pinning: https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
"This will first remove support for HTTP-based PKP (“dynamic pins”), in which the user-agent learns of pin-sets for hosts by HTTP headers. We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018."
The article should probably reflect this, but I'm unsure about phrasing and placement. ChristophLukas ( talk) 20:55, 27 October 2017 (UTC)
What happend to the following statement? Why was it removed by @ Hello71?
Second, the reporting mechanism is suppressed from broken pinsets. The reporting of the broken pinset is called out as MUST NOT report, so a complying user agent will be complicit in the cover up after the fact.
Was it simply wrong or what's wrong with this statement?
At least in https://tools.ietf.org/html/rfc7469#section-2.1.4 I could not find any information that the client 'must not' report broken pinsets. -- rugk ( talk) 22:23, 28 June 2015 (UTC)
Public Key Pinning is a more general mechanism which encompasses HTTP Public Key Pinning (HPKP) and static list Public Key Pinning (static pins). Furthermore, HPKP was deprecated (in favor of Certificate Transparency and Expect-CT) and removed from Chrome 72+ (see article) and Firefox, the only other implementer of HPKP, announced plans to remove support and already disabled HPKP by default on development branch.[1] Therefore, I propose:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 Anton.bersh ( talk) 00:26, 14 November 2019 (UTC)
Cloud 2A00:1FA0:827:18FB:0:18:2790:1901 ( talk) 20:30, 22 January 2022 (UTC)
This article ( https://github.com/syang7081/server-authentication/wiki) proposed a method to authenticate servers and prevent MiTM attacks through digital signature verification, instead of public key validation. Syang7081 ( talk) 06:01, 30 June 2024 (UTC)
This is the
talk page for discussing improvements to the
HTTP Public Key Pinning article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||
|
The chrome devs want to deprecate and remove public key pinning: https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
"This will first remove support for HTTP-based PKP (“dynamic pins”), in which the user-agent learns of pin-sets for hosts by HTTP headers. We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018."
The article should probably reflect this, but I'm unsure about phrasing and placement. ChristophLukas ( talk) 20:55, 27 October 2017 (UTC)
What happend to the following statement? Why was it removed by @ Hello71?
Second, the reporting mechanism is suppressed from broken pinsets. The reporting of the broken pinset is called out as MUST NOT report, so a complying user agent will be complicit in the cover up after the fact.
Was it simply wrong or what's wrong with this statement?
At least in https://tools.ietf.org/html/rfc7469#section-2.1.4 I could not find any information that the client 'must not' report broken pinsets. -- rugk ( talk) 22:23, 28 June 2015 (UTC)
Public Key Pinning is a more general mechanism which encompasses HTTP Public Key Pinning (HPKP) and static list Public Key Pinning (static pins). Furthermore, HPKP was deprecated (in favor of Certificate Transparency and Expect-CT) and removed from Chrome 72+ (see article) and Firefox, the only other implementer of HPKP, announced plans to remove support and already disabled HPKP by default on development branch.[1] Therefore, I propose:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 Anton.bersh ( talk) 00:26, 14 November 2019 (UTC)
Cloud 2A00:1FA0:827:18FB:0:18:2790:1901 ( talk) 20:30, 22 January 2022 (UTC)
This article ( https://github.com/syang7081/server-authentication/wiki) proposed a method to authenticate servers and prevent MiTM attacks through digital signature verification, instead of public key validation. Syang7081 ( talk) 06:01, 30 June 2024 (UTC)